Controlling Information Systems: Business Process Controls
In this chapter we learn how to analyze narratives and system flowcharts and begin to ANALYZE our documentation of business process for controls that exist or are missing. For missing controls, implementation should proceed next (assuming benefits of these controls exceed the exposure risk). For existing controls, we still need to determine if they are operating as expected, or if they need to be corrected, and lastly we need to determine if we have too many overlapping controls in place, thus creating possible costs that exceed the benefits.
The Control Matrix (definition):
It is a tool designed to assist you in analyzing a systems flowchart and related narrative. It establishes the criteria to be used in evaluating the controls in a particular business process Steps in Preparing the Control Matrix:
Step 1: Specify Control Goals: represents the first step in building a control matrix. The goals are listed across the top row of the matrix.
1) Identify operations process goals - In order to determine which operations process goals are appropriate for the business process under review, it might be helpful to consider the purpose of the business process, which resources are utilized in executing the process, are the resources used efficiently, are they secure, and what are the undesirable risks that the operations are exposed to.
a) Effectiveness goals - The purpose of this goal of the operations process is to ensure the successful accomplishment of the goals set forth for the business process under consideration.
b) Efficiency goals - The purpose of this goal of the operations process is to ensure that all resources used throughout the business process are being employed in the most productive manner.
c) Security goals -The purpose of this goal of the operations process is to ensure that entity resources are protected from loss, destruction, disclosure, copying, sale, or other misuse.
2) Identify information process goals - When deciding the appropriate information process goals for the business process under evaluation, it might be helpful to consider what information will be affected during the input and update process and what the undesirable risks are to which the information is exposed.
a) Input goals - The purpose of these goals of the information process is to ensure input validity (IV), input completeness (IC), and input accuracy (IA) with respect to all business process data that is entered into the system.
b) Update goals - The purpose of these goals of the information process is to ensure the update completeness (UC) and update accuracy (UA) of business process input data.
Step 2: Recommend Control Plans: for the business process under evaluation. This step focuses on the nature and extent of control plans that should be in place to minimize such risks to an acceptable level of residual risk. In the final analysis, the comfort level that management and auditors reach with respect to residual risk is a matter of professional judgment. Each operations and information process goal should be addressed by one or more control plans.
1) Annotating "Present" control plans: Start in the upper-left hand column of the systems flowchart and spot the first manual keying symbol, manual process symbol, or computer process symbol. Then, follow the sequential logic of the systems flowchart and identify all of the process-related symbols annotating each one with P-1, P-2 and so on until you have accounted for all present control plans. Each process-related symbol reflects an internal control plan which is already "present". While a control plan may be present, it may not be working as effectively as it should.
2) Evaluating "Present" control plans: Write number and name of each control plan in the left hand column of the control matrix. The staring with P-1, look across the row and determine which control goals the plan addresses and place a P-1 in each cell of the matrix for which P-1 is applicable. Continue this procedure for each of the present control plans. Simultaneously, in the legend of the matrix, describe how the control plan addresses each noted control goal.
3) Identifying and Evaluating "Missing" control plans: The next step in recommending control plans is to determine if additional controls are needed to address missing control goal areas, strengthen present control plans, or both. The first place to start is to look at the control matrix and see if there are any control goals for which no present control plan is addressing. If so, in the left hand column of the matrix, number the first missing control plan as M-1 and label or title the plan. Place M-1 in each cell for which the missing control is designated. In the legend, explain how the missing control will address each noted control goal. On the systems flowchart, annotate M-1 where the control should be inserted. If there are still control goals for which no control plan has addressed, develop another plan (M-2) and repeat.
Generic Control Plans:
Input Plans (Manual Input)
Well-Designed Documents – easier to input and segregates recording events from safeguarding resources by preventing the data entry clerk from needing to access the document's underlying resource (effective, efficient, accurate) Written Approvals – validates event Preformatted Screens – easier to input, defines acceptable format for each data field, prevents users from omitting any mandatory fields, automatically populates some fields with default terms (effective, efficient, accurate) Online Prompts – requests user input or asks questions that the user must answer, easier to input (effective, efficient, accurate) Enter Close to Source – more timely data processing (effective, efficient); data entry person is more knowledgeable of the event (accuracy); less likelihood of loss (completeness) Authenticate Input – digital signatures, encryption (security, validity, accuracy) Populate Input with Master Data – less needs to be input and comparisons between input and master can be made (effective, efficient, accuracy, validity) Automatic scanning/Input – easier to input (effective, efficient, accurate, complete)
Input Plans (Batch Input)
Use Turnaround Documents – capture and input subsequent event (effective, efficient, valid, accurate)
Edit Input Plans
Automated Checks – types of programmed edit checks include reasonableness, hash totals, mathematical accuracy, and check digit verification (effective, efficient, accurate) Input/Master Checks – types of these checks include data dependency, data validity, data accuracy, and sequence (effective, efficient, valid, accurate)
Resolve Errors Plans
Process in Place - Complete Reconcile Batch Totals (manually) - valid, complete and accurate Reconcile Batch Totals (automated - effective, efficient, valid, complete and accurate Reconcile Input & Output Batch Totals (run-to-run) - secure, valid, input and update complete, input and update accurate One-to-One Checking - Secure, valid, input and update complete, input and update accurate
Correct Errors/Input Plans
Key-in Corrections - accuracy
Record Input Plans
Provide Feedback - completeness Automatic Record Input - effective and efficient Automatic Updating - effective, efficient, valid, input and update accurate
Controlling Information Systems: Business Process Controls
In this chapter we learn how to analyze narratives and system flowcharts and begin to ANALYZE our documentation of business process for controls that exist or are missing. For missing controls, implementation should proceed next (assuming benefits of these controls exceed the exposure risk). For existing controls, we still need to determine if they are operating as expected, or if they need to be corrected, and lastly we need to determine if we have too many overlapping controls in place, thus creating possible costs that exceed the benefits.The Control Matrix (definition):
It is a tool designed to assist you in analyzing a systems flowchart and related narrative. It establishes the criteria to be used in evaluating the controls in a particular business processSteps in Preparing the Control Matrix:
Step 1: Specify Control Goals: represents the first step in building a control matrix. The goals are listed across the top row of the matrix.
1) Identify operations process goals - In order to determine which operations process goals are appropriate for the business process under review, it might be helpful to consider the purpose of the business process, which resources are utilized in executing the process, are the resources used efficiently, are they secure, and what are the undesirable risks that the operations are exposed to.
a) Effectiveness goals - The purpose of this goal of the operations process is to ensure the successful accomplishment of the goals set forth for the business process under consideration.
b) Efficiency goals - The purpose of this goal of the operations process is to ensure that all resources used throughout the business process are being employed in the most productive manner.
c) Security goals -The purpose of this goal of the operations process is to ensure that entity resources are protected from loss, destruction, disclosure, copying, sale, or other misuse.
2) Identify information process goals - When deciding the appropriate information process goals for the business process under evaluation, it might be helpful to consider what information will be affected during the input and update process and what the undesirable risks are to which the information is exposed.
a) Input goals - The purpose of these goals of the information process is to ensure input validity (IV), input completeness (IC), and input accuracy (IA) with respect to all business process data that is entered into the system.
b) Update goals - The purpose of these goals of the information process is to ensure the update completeness (UC) and update accuracy (UA) of business process input data.
Step 2: Recommend Control Plans: for the business process under evaluation. This step focuses on the nature and extent of control plans that should be in place to minimize such risks to an acceptable level of residual risk. In the final analysis, the comfort level that management and auditors reach with respect to residual risk is a matter of professional judgment. Each operations and information process goal should be addressed by one or more control plans.
1) Annotating "Present" control plans: Start in the upper-left hand column of the systems flowchart and spot the first manual keying symbol, manual process symbol, or computer process symbol. Then, follow the sequential logic of the systems flowchart and identify all of the process-related symbols annotating each one with P-1, P-2 and so on until you have accounted for all present control plans. Each process-related symbol reflects an internal control plan which is already "present". While a control plan may be present, it may not be working as effectively as it should.
2) Evaluating "Present" control plans: Write number and name of each control plan in the left hand column of the control matrix. The staring with P-1, look across the row and determine which control goals the plan addresses and place a P-1 in each cell of the matrix for which P-1 is applicable. Continue this procedure for each of the present control plans. Simultaneously, in the legend of the matrix, describe how the control plan addresses each noted control goal.
3) Identifying and Evaluating "Missing" control plans: The next step in recommending control plans is to determine if additional controls are needed to address missing control goal areas, strengthen present control plans, or both. The first place to start is to look at the control matrix and see if there are any control goals for which no present control plan is addressing. If so, in the left hand column of the matrix, number the first missing control plan as M-1 and label or title the plan. Place M-1 in each cell for which the missing control is designated. In the legend, explain how the missing control will address each noted control goal. On the systems flowchart, annotate M-1 where the control should be inserted. If there are still control goals for which no control plan has addressed, develop another plan (M-2) and repeat.
Generic Control Plans:
- Input Plans (Manual Input)
Well-Designed Documents – easier to input and segregates recording events from safeguarding resources by preventing the data entry clerk from needing to access the document's underlying resource (effective, efficient, accurate)Written Approvals – validates event
Preformatted Screens – easier to input, defines acceptable format for each data field, prevents users from omitting any mandatory fields, automatically populates some fields with default terms (effective, efficient, accurate)
Online Prompts – requests user input or asks questions that the user must answer, easier to input (effective, efficient, accurate)
Enter Close to Source – more timely data processing (effective, efficient); data entry person is more knowledgeable of the event (accuracy); less likelihood of loss (completeness)
Authenticate Input – digital signatures, encryption (security, validity, accuracy)
Populate Input with Master Data – less needs to be input and comparisons between input and master can be made (effective, efficient, accuracy, validity)
Automatic scanning/Input – easier to input (effective, efficient, accurate, complete)
- Input Plans (Batch Input)
Use Turnaround Documents – capture and input subsequent event (effective, efficient, valid, accurate)- Edit Input Plans
Automated Checks – types of programmed edit checks include reasonableness, hash totals, mathematical accuracy, and check digit verification (effective, efficient, accurate)Input/Master Checks – types of these checks include data dependency, data validity, data accuracy, and sequence (effective, efficient, valid, accurate)
- Resolve Errors Plans
Process in Place - CompleteReconcile Batch Totals (manually) - valid, complete and accurate
Reconcile Batch Totals (automated - effective, efficient, valid, complete and accurate
Reconcile Input & Output Batch Totals (run-to-run) - secure, valid, input and update complete, input and update accurate
One-to-One Checking - Secure, valid, input and update complete, input and update accurate
- Correct Errors/Input Plans
Key-in Corrections - accuracy- Record Input Plans
Provide Feedback - completenessAutomatic Record Input - effective and efficient
Automatic Updating - effective, efficient, valid, input and update accurate